Risk Demonstration in GMP

Regulators do not assess whether risk assessments exist.
They assess whether decisions reflect risk.

Completed templates, scoring sheets, or FMEA documents do not demonstrate QRM on their own.

Risk is demonstrated through:

• How decisions are made

• How consistently they are applied

• How well they are justified

This expectation is grounded in ICH Q9 and forms the basis of Quality Risk Management (ICH Q9).

What Inspectors Actually Evaluate

Inspectors focus on decision quality, not documentation format.

They evaluate whether:

• Similar situations are handled consistently

• Risk assessments align with actions taken

• Decisions are supported by data and reasoning

• Escalation reflects actual impact

The structure behind these decisions is defined in Risk Management Process Steps.

Consistency Is the Primary Indicator of QRM

The most visible indicator of effective QRM is consistency.

Inspectors often compare:

• Similar deviations

• Similar changes

• Similar audit findings

If outcomes differ without clear justification, this signals weak QRM.

Consistency does not mean identical decisions.
It means decisions are predictable and explainable.

Alignment Between Risk and Action

Risk assessments must align with actions.

Inspectors look for:

• High-risk issues receiving stronger controls

• Low-risk issues not being over-controlled

• Escalation matching severity and impact

Misalignment between risk classification and action is a common inspection concern.

For example:

• High-risk classification with minimal CAPA

• Low-risk classification with excessive controls

Both indicate weak decision logic.

Evidence Must Reflect Real Decisions

Risk is demonstrated through operational evidence, not standalone documents.

Inspectors review:

• Deviation records

• CAPA decisions

• Change control justifications

• Validation scope decisions

They assess whether risk-based reasoning is visible in these systems.

Risk assessments that are not reflected in actual decisions are not considered effective.

How Inspectors Test Risk-Based Decisions

Inspectors do not rely on single examples.
They test systems through comparison.

They may:

• Review multiple deviations of similar type

• Compare change controls with similar impact

• Evaluate CAPA responses across different cases

The objective is to determine whether decisions are:

• Consistent

• Repeatable

• Based on defined criteria

If similar situations produce different outcomes without justification, this indicates that QRM is not functioning as a system.

Traceability of Risk Decisions

Effective QRM requires traceability.

Inspectors assess whether decisions can be followed from:

• Risk assessment —> decision —> action —> outcome

Examples include:

• Change control —> risk level —> approval pathway

• Deviation —> risk classification —> investigation depth

• CAPA —> risk assessment —> effectiveness criteria

If traceability is unclear or broken, risk-based decision-making cannot be demonstrated.

How Terminology Is Evaluated in Practice

Inspectors do not evaluate definitions directly.
They evaluate application.

They assess whether:

• Severity is interpreted consistently

• Likelihood is supported by data

• Detectability reflects actual controls

Inconsistent application of terminology leads to inconsistent decisions, even when scoring appears structured.

This is often the underlying cause of variability.

Handling of Uncertainty Is a Key Signal

Regulators expect organizations to recognize uncertainty.

They assess whether:

• Data gaps are acknowledged

• Assumptions are documented

• Uncertainty influences decisions

A common concern arises when precise scores are assigned but underlying knowledge is limited.

This indicates that uncertainty has been ignored rather than managed.

Where QRM Breaks Across Systems

QRM failures often appear at system interfaces.

Common patterns include:

• High-risk deviations with minimal CAPA

• Low-risk changes with excessive approval layers

• Inconsistent categorization of audit findings

• Variation in validation scope without clear rationale

These issues indicate that risk is being assessed, but not applied consistently across systems.

Inspectors view this as a breakdown in governance, not execution.

Common Patterns That Trigger Inspection Concern

Inspectors consistently identify patterns such as:

• Inconsistent decisions across similar cases

• Risk assessments completed after decisions

• Lack of defined acceptance criteria

• Over-reliance on templates without reasoning

• Failure to update risk assessments

These patterns indicate that QRM is not functioning as a decision framework.

What Good QRM Looks Like During Inspection

Effective QRM systems demonstrate:

• Consistent decision-making across functions

• Clear linkage between risk and action

• Defined criteria for evaluation and escalation

• Recognition and management of uncertainty

• Alignment between documentation and execution

Inspectors do not expect perfection.
They expect clarity, consistency, and defensibility.

How Risk is Demonstrated Across Systems

Risk is not demonstrated in a single document.
It is demonstrated across systems.

Examples include:

• Deviation handling —> prioritization and escalation

• Change control —> level of review and approval

• CAPA —> scope and verification

• Validation —> extent of study

When these systems reflect consistent decision logic, QRM is considered effective.

Regulatory Perspective

Regulators do not expect specific tools or formats.
They expect defensible decisions.

Risk is demonstrated when:

• Decisions are consistent

• Reasoning is clear

• Actions align with impact

• Uncertainty is acknowledged

Systems that rely on templates struggle to demonstrate control.
Systems that apply consistent decision logic are easier to defend.